core/doc/install/sample-lighttpd.conf

# See http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions

### LOAD MODULES
server.modules = (
  "mod_access",
  "mod_accesslog",
  "mod_fastcgi",
  "mod_redirect",
  "mod_rewrite"
)

### BASIC STUFF
server.port = 80

server.username = "http"

server.groupname = "http"

server.document-root = "/path/to/your/www/files" #adjust to your setup

server.errorlog = "/var/log/lighttpd/error.log"

accesslog.filename = "/var/log/lighttpd/access.log"

### DISABLE DIR LISTING
dir-listing.activate = "disable"

### DISABLE REJECT EXPECT HEADER
### (needed for curl POST requests - otherwise they fail with error 417)
server.reject-expect-100-with-417 = "disable"

### DEFINE SUPPORTED INDEX FILENAMES
index-file.names = (
  "index.html",
  "index.htm",
  "index.php"
)

### DEFINE SUPPORTED MIME TYPES
mimetype.assign = (
  ".html" => "text/html",
  ".htm" => "text/html",
  ".css" => "text/css",
  ".txt" => "text/plain",
  ".svg" => "image/svg+xml",
  ".jpg" => "image/jpeg",
  ".png" => "image/png"
)

### DONT EVER SERVE FILES WITH EXTENSION
static-file.exclude-extensions = ( ".php" )

### PHP WITH PHP-FPM
### (needs php-fpm installed and running)
fastcgi.server = ( 
  ".php" => (
    "localhost" => (
      "socket" => "/run/php-fpm/php-fpm.sock",
      "broken-scriptfilename" => "enable",
      "allow-x-sendfile" => "enable"
    )                     
  )
)

### ENABLE SSL
$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.ca-file = "/etc/lighttpd/certs/ca-certs.crt" #adjust to your needs
  ssl.pemfile = "/etc/lighttpd/certs/red-ssl.crt" #adjust to your needs

  ssl.use-compression = "disable"
  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"
  ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
}

### RISTRICT ACCESS TO DIRECTORYS AND FILES
$HTTP["url"] =~ "\.(out|log|htaccess)$" {
  url.access-deny = ("")
}

$HTTP["url"] =~ "(^|/)\.git|(^|/)store" {
  url.access-deny = ("")
}

### URL REWRITE RULES
url.rewrite-if-not-file = (
  "^\/([^\?]*)\?(.*)$" => "/index.php?q=$1&$2",
  "^\/(.*)$" => "/index.php?q=$1"
)